Analysis Date2014-12-02 10:43:33
MD55915ee59e1637621c3a806daffe6f735
SHA1206d85591eb8649c0b0a4566362a5f803137f7a0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: dea6db918da9f94a5b3456f0a6962539 sha1: 345a33e77cb1f09b037a1aca10790314890e0b27 size: 22528
Section.rdata md5: 9190c6db7414daa9b06cf348f29edc25 sha1: 4db3e3efb893e9cd192a0bdce5c77f0ecb912136 size: 9216
Section.data md5: 7e45ddec4d601e3a13b9aad961f7038f sha1: 17e5845294cae6963715a8a46c02ce7c6589273e size: 102400
Section.edata md5: 9d7ad2c4406547076e8dec5106224e19 sha1: 5b14d5168d5a645e9faef252f567475ace97de26 size: 3072
Section.badata md5: 53e979547d8c2ea86560ac45de08ae25 sha1: 53ea2cb716f312714685c92b6be27e419f8c746c size: 1536
Section.rsrc md5: 7e6ec760c401f3cb28906c62daa8fb39 sha1: e495e89652c12b6a6d9b4af4d0e4a6d82ad4a488 size: 8704
Timestamp2009-08-16 18:10:16
VersionLegalCopyright: Copyright © 2009 GSimon Tathamw All rights reserved.
InternalName: znozerd.exe
FileVersion: 2.0.0.122
CompanyName: Simon Tatham
LegalTrademarks:
Comments:
ProductName: ej
ProductVersion: 2.0.0.122
FileDescription: KTCodec8f Setup TU
OriginalFilename: znozerd.exe
PackerBorland Delphi v3.0
PEhashf56b003057783bcf1853c7e20e4376241b62726b
IMPhashc83efd2f132d685486484b7267611f69
AV360 SafeGen:Variant.Kazy.24302
AVAd-AwareGen:Variant.Kazy.24302
AVAlwil (avast)MalOb-EM [Cryp]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Downloader.CO.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen3
AVBullGuardGen:Variant.Kazy.24302
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVTrojan.Downloader-131793
AVDr. WebTrojan.DownLoader3.2289
AVEmsisoftGen:Variant.Kazy.24302
AVEset (nod32)Win32/Kryptik.OBK
AVFortinetW32/PackZbot.D!tr
AVFrisk (f-prot)W32/Downloader.CO.gen!Eldorado
AVF-SecureGen:Variant.Kazy.24302
AVGrisoft (avg)Downloader.FraudLoad.BY
AVIkarusTrojan-Downloader.SuspectCRC
AVK7Trojan ( 0026c81d1 )
AVKasperskyHoax.Win32.FlashApp.gen
AVMalwareBytesTrojan.Downloader.VCP
AVMcafeeDownloader-CEW.au
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PT
AVMicroWorld (escan)Gen:Variant.Kazy.24302
AVRisingTrojan.Win32.Generic.12880D25
AVSophosMal/FakeAV-IZ
AVSymantecTrojan.FakeAV!gen63
AVTrend MicroTROJ_RENOS.SM10
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\Ojawia.exe
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\Ojawia.exe
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Process
↳ C:\WINDOWS\Ojawia.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
Creates FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates FilePIPE\lsarpc
Deletes FileC:\WINDOWS\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job
Creates MutexGlobal\{BC9BACEF-649A-45ff-A468-C000D051F283}

Network Details:

DNSwikileaks.org
Type: A
95.211.113.131
DNSwikileaks.org
Type: A
95.211.113.154
DNSwikileaks.org
Type: A
195.35.109.44
DNSwikileaks.org
Type: A
195.35.109.53
DNSwikileaks.org
Type: A
91.218.114.210
DNSwikileaks.org
Type: A
91.218.244.151
DNSarticlesbase.com
Type: A
216.146.46.10
DNSarticlesbase.com
Type: A
216.146.46.11
DNS10086.cn
Type: A
117.136.139.2

Raw Pcap

Strings
...
....
..
.
2..
b
.'.L..
040904E4
2.0.0.122
 2009 GSimon Tathamw All rights reserved.
a3va
Comments
CompanyName
Copyright 
	Ctrl+C
FileDescription
FileVersion
InternalName
KTCodec8f Setup TU
LegalCopyright
LegalTrademarks
 (MAP)
MS Shell Dlg
OriginalFilename
ProductName
ProductVersion
Simon Tatham
StringFileInfo
SysTreeView32
Translation
U(UK
VarFileInfo
VS_VERSION_INFO
znozerd.exe
05`c4Hd]8
~~05CY
0,OAn	
 (0^p@
0umP6Sc<
-{0XZH
17yYhU=A
/1H:48W2
1OLEAzUT
2.e$SZ
2|YZF9
33333333333333333333333333333333333333333333333333333333333333333333333333333333(
3	_VYJ
3y*uDC
"4c|Za
^_[4sG;U
4uCH\o'H
4XuUvK
4Y?X<wTB
50c H4]$
5~1Ih8
:5<3PEu
!}5/8[b%
5}_DdC
5EBv<;
5hcpuzctH|[ME
5h)=>q
$5 jp 
5mwT]D
5=n+wv
 5Pc$HT](
5#QEUs;$zm
;5Rvt"h
	5)xIt
~5"z@x!
6"T%@ 
7c,t@6o
^8]bUA!
8H@CnHD]L
_8Vj."/
  -~!9
9#Gt2P
9~)H6A@Z
9r4/.p
_9SEtN
A0WjD*
ActivateKeyboardLayout
AdjustWindowRectEx
Al5p]N
appwiz.cpl
b1Ov^:
B9^Lqq
@.badata
C1aMXm
c@7XAuK
c8H0]<
CF_Nc-
CFXamx
CharLowerA
CharLowerBuffA
CharUpperA
CharUpperBuffA
c_L{E*v
CloseClipboard
c\oAK\
CreatePopupMenu
CreateWindowExA
D4Wlvx
D5pcHHt@
@.data
DefMDIChildProcA
DefWindowProcA
!=dE&G
DeleteMenu
(DE[PLY5U#^
DestroyCursor
DestroyIcon
DEv]eo
DragQueryFileA
DrawEdge
E1TbeFD97t
E46p(-{Q
.edata
EFFGA;
EnableScrollBar
(@E\PHA]
eQFp3a
EqualRect
ExitProcess
f1'H3G]_
?F5<9]
FAo*=r1MT0h]adI
[>f-#c
%feac[(s
F,Il@j
FindClose
FormatMessageA
FreeLibrary
f-{;Y)
fyUSHLW
g@D>Us
GetActiveWindow
GetClassNameA
GetClientRect
GetCPInfo
GetCursor
GetCursorPos
GetDiskFreeSpaceA
GetForegroundWindow
GetKeyboardLayout
GetLocalTime
GetMenu
GetMenuItemID
GetMenuStringA
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetProcessHeap
GetScrollInfo
GetScrollPos
GetStartupInfoA
GetStringTypeA
GetSysColorBrush
GetSystemDefaultLangID
GetSystemMenu
GetSystemMetrics
GetThreadLocale
GetWindow
GetWindowLongA
GetWindowRect
GetWindowTextLengthA
,{gFPt[
GlobalFindAtomA
gP|b*R
GS987654
HeapFree
HHKYA`f
Hw@K8F
I9NUZ.7
~I-HZ9
iJAAcKs
InflateRect
IntersectRect
IsCharLowerA
IsRectEmpty
IsWindowEnabled
IsWindowUnicode
IsZoomed
It':!1
ITY	eI^Y
J+K*K>
JlHsX~
||JX4f49X
$kdpP@
^kEb7q
kernel32.dll
KGPYY%
@KnYiA
`~ksEcm
KYcpyO
kYNl@qs
L'.$#^
;L)2P8
L5@ctHD]|
%lEHYj
LoadIconA
LoadKeyboardLayoutA
LoadLibraryA
LoadResource
LockResource
Lr(fP\
lsBn)U
lstrlenW
LY5U#^u
|(&M\87
MapWindowPoints
|May( 23W01
;MBZuq
MC{t:;
M$iN r
.m p*;9
;Ms{ `
MSSVCP60
]mUl,?
^Muo<&
nAQ\hC
nGlK G?
NjI.GG
Np|(X^
nt>*.DtY
\NY?\-w
OLE32.DLL
OpenClipboard
O&rE.Y
P=.4.1
p>;)57pTl
p7gPoWZ
pD&\?BY
PDXf.[
PF3s% 
PjF_l~E
pKYU1,
pl*6YKwo
PostMessageA
PostQuitMessage
"\P;qDt8-
Pxma5`>r
q5R*rS.
@qFL0u4
QglB@Pl
qHgwjD,7_
Q`L>6P
qM{~=;
 q`SjXG
^qutI	G
@QZD^ZVU
r3QmRVY
`.rdata
rDe Pc
ReadFile
RegisterClassA
RegisterWindowMessageA
r;H/H-"
RProcAd
R.q7lnV
RQPSP+
@.rsrc
\R]uC`
|RWGQPjT
[.;.s.
S+3lx}
?sCwap{
SendMessageA
SendMessageW
SetClassLongA
SetErrorMode
SetFilePointer
SetMenu
SetTimer
SetWindowPlacement
SHELL32.DLL
Shell_NotifyIconW
SHFileOperationA
si%c] o
\sionM
sk4e|'Z-F
SldiMi2sgm4nU@20
SMS5|(1
SoElZCJSc
StgCreateDocfileOnILockBytes
 SvWVp
"'sWj)
#s!xuY
!This program cannot be run in DOS mode.
TkN|J0
TranslateMDISysAccel
TSj Sf
TUc.9_Qn
TVD:CA
,tVxvC
Twls>Zh0(#"
`u;63~
uc|1jV
Uc(`k[p
?u*iogn
|.+uL^X
UNIQST$R
upe(OWi8+
USER32.DLL
uW8]a6o
UY!2<7tA
U}Z&(Qe>^I
V1)OQBWI
V&[; 4Q_Up
VASVWPB
VbtuWAIK
VCharT
VGjq,>
vG~XF0
VirtualAllocEx
V<SSeX
VY8Z-v
W$5(c0{m
W\5`fY4
WaitMessage
W@EE^Gu
WindowFromPoint
wJ|oR2
WL}S2P
W`.rdat
WRQPSSja
wsprintfA
(~>W&Swhd
X5d{od
X$5SYs
X8CHuX
X$C4uD
Xd!iv~
x=$>IA
x&i[j(
xImRVAX
XY5`#h
X[YZdJ
y5x>r0
YB(3|?
YcLX:u,
yfExorDV
#Y\'G7]
+/YG)V
Y`\WrX
YWs-r:u
Z0Y}kX
Z50%J=eN!
Z6Yx-$
zB9^Ot
znozerd.exe
;Zu6/E0
ZUv+f	
zxSkwQ